Malware steals Apple IDs from jailbroken iPhones, iPads

updated 06:11 pm EDT, Tue April 22, 2014

by MacNN Staff

Works on 32-bit devices only for now, takes advantage of same flaws jailbreak uses

As has been predicted for some time, a new malware threat exploits the same flaws in iOS that jailbreaking tools use in order to install itself on older jailbroken iPhones and iPads. The malware, likely to be found in devices where the user has installed third-party customizations, scans for the Apple ID and password of the user, then transmits it to remote servers. Current, 64-bit iOS devices like the iPhone 5s, iPad Air or second-generation iPad mini -- and un-jailbroken iOS devices of all sorts -- appear to be immune so far.

The malware, now dubbed "unflod" after the library that is installed on infected devices (and signed with an Apple Developer signature, though this may have been stolen), can be seen on 32-bit jailbroken iOS devices by opening the SSH/Terminal that is usually installed during the jailbreaking process and searching the path "/Library/MobileSubstrate/DynamicLibraries" for a file called Unflod.dylib. It is unclear if simply deleting that file will permanently remove the malware, since it is possibly hidden inside one of the installed "tweaks" and may be re-downloaded or reinstalled when the suspect tweak is used again.

Security researcher Stefan Esser, who investigated the issue after reports appeared on Reddit about repeated crashes, says that the file intercepts the SSLWrite function inside an infected device's security framework, reports Ars Technica, and uses that to scan for strings associated with Apple ID logins. Sophos Labs, which has also analyzed the threat, has received no reports of compromised Apple IDs "in the wild" due to the attack thus far, but victims may not be aware that their ID has been compromised or do not think to report any security issues to the company.

The Mobile Substrate code, which is used by unofficial software to modify and extend iOS into areas specifically set as off-limits by Apple -- for example, an library that circumvents the carrier's own CallerID so that users have some way of seeing what number is calling without paying the carrier to do so -- can just as easily be used, in jailbroken devices, to install malicious software. While the jailbroken community as a whole has been generally lucky on this front so far, an exploit -- any exploit -- can be used for nefarious or benign injections of code, which is why Apple strongly recommends against jailbreaking phones even though it is legal to do so.

Applications that have hidden functionality, usually designed to get around Apple App Store rules, are well known among jailbreakers. A few have been successful in escaping Apple's scrutiny and successfully appearing on the App Store, but almost none of them had any malicious intent. Exploiting software flaws in mobile platforms is worth a lot of money now, notes security researcher Charlie Miller, vastly increasing the temptation to use jailbreak exploits for illicit purposes.

The relative unpopularity of jailbreaking in the iOS community is one of the reasons why the platform enjoys such dramatically lower incidences of malware -- statistically, zero -- compared to Android, which allows a much wider community of unpoliced and unofficial app stores, and unsurprisingly now has 99 percent of all mobile malware directed at it.

Resetting an iOS device infected with "unflod" to normal and losing the jailbreak more permanently fixes the issue, reports Esser, since un-jailbroken devices cannot be compromised by the malware. Users do take the risk, however, that future system upgrades will make it even more difficult for their devices to be jailbroken, meaning they can enjoy the security but lose the unofficial tweaks and apps they enjoyed.

Jay Freeman, known as "Saurik" and creator of the primary unofficial app marketplace, Cydia, told Reddit readers that the "probability of this coming from a default [Cydia] repository is fairly low," but added that he doesn't recommend "people go adding random URLs to Cydia and downloading random software from untrusted people any more than I recommend opening the .exe files you receive by email on your desktop computer."

TAGS

1 Comments

I have no sympathy for jailbreakers. They remove the most important security feature of iOS devices so who's surprised that the malware follows shortly thereafter.
At least MacNN put 'jailbreak' in the headline, unlike most of other web sites who leave that part off to give the impression that iOS is susceptible to malware.

Login Here

Please note that it takes a couple of minutes for new comments to be visible in this area.

&nbsp

Now AAPL Stock: The symbol you provided ("AAPL") doesn't appear to be registered

Cirrus creates Lightning-headphone dev kit

Apple supplier Cirrus Logic has introduced a MFi-compliant new development kit for companies interested in using Cirrus' chips to create Lightning-based headphones, which -- regardless of whether rumors about Apple dropping the analog headphone jack in its iPhone this fall -- can offer advantages to music-loving iOS device users. The kit mentions some of the advantages of an all-digital headset or headphone connector, including higher-bitrate support, a more customizable experience, and support for power and data transfer into headphone hardware. Several companies already make Lightning headphones, and Apple has supported the concept since June 2014. http://bit.ly/29giiZj

Share

Developer602d

Apple Store app offers Procreate Pocket

The Apple Store app for iPhone, which periodically rewards users with free app gifts, is now offering the iPhone "Pocket" version of drawing app Procreate for those who have the free Apple Store app until July 28. Users who have redeemed the offer by navigating to the "Stores" tab of the app and swiping past the "iPhone Upgrade Program" banner to the "Procreate" banner have noted that only the limited Pocket (iPhone) version of the app is available free, even if the Apple Store app is installed and the offer redeemed on an iPad. The Pocket version currently sells for $3 on the iOS App Store. [32.4MB]

Share

602d

Porsche adds CarPlay to 2017 Panamera

Porsche has added a fifth model of vehicle to its CarPlay-supported lineup, announcing that the 2017 Panamera -- which will arrive in the US in January -- will include Apple's infotainment technology, and be seen on a giant 12.3-inch touchscreen as part of an all-new Porsche Communication Management system. The luxury sedan starts at $99,900 for the 4S model, and scales up to the Panamera Turbo, which sells for $146,900. Other vehicles that currently support CarPlay include the 2016 911 and the 2017 models of Macan, 718 Boxster, and 718 Cayman. The company did not mention support for Google's corresponding Android Auto in its announcement. http://bit.ly/295ZQ94

Share

Industry602d

Apple employees testing wheelchair features

New features included in the forthcoming watchOS 3 are being tested by Apple retail store employees, including a new activity-tracking feature that has been designed with wheelchair users in mind. The move is slightly unusual in that, while retail employees have previously been used to test pre-release versions of OS X and iOS, this marks the first time they've been included in the otherwise developer-only watchOS betas. The company is said to have gone to great lengths to modify the activity tracker for wheelchair users, including changing the "time to stand" notification to "time to roll" and including two wheelchair-centric workout apps. http://bit.ly/2955JDa

Share

Troubleshooting602d

SanDisk reveals two 256GB microSDXC cards

SanDisk has introduced two 256GB microSDXC cards. Arriving in August for $150, the Ultra microSDXC UHS-I Premium Edition card offers transfer speeds of up to 95MB/s for reading data. The Extreme microSDXC UHS-I card can read at a fast 100MB/s and write at up to 90MB/s, and will be shipping sometime in the fourth quarter for $200. http://bit.ly/294Q1If

Share

Upgrades/storage602d

Apple's third-quarter results due July 26

Apple has advised it will be issuing its third-quarter results on July 26, with a conference call to answer investor and analyst queries about the earnings set to take place later that day. The stream of the call will go live at 2pm PT (5pm ET) via Apple's investor site, with the results themselves expected to be released roughly 30 minutes before the call commences. Apple's guidance for the quarter put revenue at between $41 billion and $43 billion. http://apple.co/1oi1Pbm

Share

Investor603d

Twitter stickers slowly roll out to users

Twitter has introduced "stickers," allowing users to add extra graphical elements to their photos before uploading them to the micro-blogging service. A library of hundreds of accessories, props, and emoji will be available to use as stickers, which can be resized, rotated, and placed anywhere on the photograph. Images with stickers will also become searchable with viewers able to select a sticker to see how others use the same graphic in their own posts. Twitter advises stickers will be rolling out to users over the next few weeks, and will work on both the mobile apps and through the browser. http://bit.ly/29bbwUE